1 / 16

Managing Third Party Risk

Managing Third Party Risk. In a world fraught w/Risk. Trust In the Cloud How are you Protecting Customer Data? February 26, 2014 Case Study Vincent Campitelli – McKesson Corporation. Vendor Management Life Cycle. How are they identified ?. Spend Analysis Corporate Procurement

allen-kerr
Download Presentation

Managing Third Party Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Third Party Risk In a world fraught w/Risk Trust In the Cloud How are you Protecting Customer Data? February 26, 2014 Case Study Vincent Campitelli – McKesson Corporation

  2. Vendor Management Life Cycle

  3. How are they identified ? • Spend Analysis • Corporate Procurement • IT Procurement • Legal /contracting • Compliance Officers • Business Unit managers

  4. Assess inherent Risk • Service description • Contract Review • R. A. questionnaire • Risk Rating

  5. Conduct Due Diligence Moderate RISK Inherent Risk LOW RISK High RISK • Contract PP P • Security Exhibits P P P • BAA P P P • Validation procedures P P • On-going monitoring PP Residual Risk

  6. Apply Risk Mitigation • Contracts • Company paper • Right to audit • SLA’s • Conditional Acceptance • Third party reports • Annual requirement • Scope adjustment • Corrective Action plans • Corrective action plans

  7. Monitoring • Geopolitical events • Environmental events • Business events • Contract events • SLA performance • Mergers/acquisitions/Ownership • Fines/penalties/violations • Audit failures

  8. “Going to the Cloud” • Lack of visibility • Lack of control • Contractual limitations • Right to audit • SLA limitations • Exit strategy • Data retention/location/return/use • Reliance on 3rd party reporting • New Requirements • Monitoring • Oversight

  9. How are they identified ? • Spend Analysis • Corporate Procurement • IT Procurement • Legal /contracting • Compliance Officers • Business Unit managers • CLOUD BASED

  10. Assess inherent Risk • Service description • Contract Review • R. A. questionnaire • Risk Rating • Tailored for CSP’s : • CSA CAIQ • CCM v3.0 • Star Registry • Response indices • Yes • No • AI

  11. Conduct Due Diligence Moderate RISK Inherent Risk LOW RISK High RISK • Contract PP P • Security Exhibits P P P • BAA P P P • Validation procedures P P • On-going monitoring PP Residual Risk

  12. Cloud Services – Responsibility/Accountability

  13. Control Responsibilities by Service Model

  14. CSA CCM controls – Key Controls

  15. CSA based Control Requirements

  16. Apply Risk Mitigation • Contracts • Company paper • Right to audit • SLA’s • Security SLA’s • Conditional Acceptance • Third party reports – SOC 2 • Annual requirement • Scope adjustment • Corrective Action plans • Corrective action plans

More Related